From 334bb80e4cebb56ec96f048cbef5f7b4f45e0763 Mon Sep 17 00:00:00 2001
From: meacer <meacer@chromium.org>
Date: Wed, 20 Nov 2019 19:33:59 +0000
Subject: [Backport] Security bug 1025442
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1922280:

Disallow middle dot (U+00B7) when unsafe in IDN display

This character ("·") can be used to spoof domain names. Only allow
if it's used to express Catalan character ela geminada on Catalan
domains (i.e. when used between 'l' characters).

According to usage logs, this change affects a single domain name
with a small number of users.

Bug: 1025442
Change-Id: Ic45ad4ddb87a46e5394581babce18988004782f8
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
---
 .../spoof_checks/idn_spoof_checker.cc              | 34 ++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/chromium/components/url_formatter/spoof_checks/idn_spoof_checker.cc b/chromium/components/url_formatter/spoof_checks/idn_spoof_checker.cc
index f394f73cd3f..6afb8b9e736 100644
--- a/chromium/components/url_formatter/spoof_checks/idn_spoof_checker.cc
+++ b/chromium/components/url_formatter/spoof_checks/idn_spoof_checker.cc
@@ -76,6 +76,35 @@ base::ThreadLocalStorage::Slot& DangerousPatternTLS() {
   return *dangerous_pattern_tls;
 }
 
+// Allow middle dot (U+00B7) only on Catalan domains when between two 'l's, to
+// permit the Catalan character ela geminada to be expressed.
+// See https://tools.ietf.org/html/rfc5892#appendix-A.3 for details.
+bool HasUnsafeMiddleDot(const icu::UnicodeString& label_string,
+                        base::StringPiece top_level_domain) {
+  int last_index = 0;
+  while (true) {
+    int index = label_string.indexOf("·", last_index);
+    if (index < 0) {
+      break;
+    }
+    DCHECK_LT(index, label_string.length());
+    if (top_level_domain != "cat") {
+      // Non-Catalan domains cannot contain middle dot.
+      return true;
+    }
+    // Middle dot at the beginning or end.
+    if (index == 0 || index == label_string.length() - 1) {
+      return true;
+    }
+    // Middle dot not surrounded by an 'l'.
+    if (label_string[index - 1] != 'l' || label_string[index + 1] != 'l') {
+      return true;
+    }
+    last_index = index + 1;
+  }
+  return false;
+}
+
 #include "components/url_formatter/top_domains/alexa_domains-trie-inc.cc"
 
 // All the domains in the above file have 3 or fewer labels.
@@ -293,6 +322,11 @@ bool IDNSpoofChecker::SafeToDisplayAsUnicode(
       label_string.indexOf("ə") != -1)
     return false;
 
+  // Disallow middle dot (U+00B7) when unsafe.
+  if (HasUnsafeMiddleDot(label_string, top_level_domain)) {
+    return false;
+  }
+
   // If there's no script mixing, the input is regarded as safe without any
   // extra check unless it falls into one of three categories:
   //   - contains Kana letter exceptions
-- 
cgit v1.2.1